[Samba] Samba + LDAP integration

Mugo Martin mmuchira at gmail.com
Sat Jul 26 14:36:25 GMT 2008 

Hi people,

Been doing a server installation with Samba as a primary PDC that uses an
LDAP backend on CentOS 5.
The thing is that I cannot be able to get Samba and LDAP to talk as they
should and now Im really stuck.
Below are my dumps for /etc/samba/smb.conf, ldap.conf (copied its contents
to /etc/openldap/ldap.conf too), and smbldap.conf.
Excuse my long post; trying to be as elaborate as possible.

smb.conf
**********
[global]
        workgroup = MYDOMAIN
        netbios name = MYDOMAIN
        server string = mydomain_office
        passdb backend = ldapsam:ldap://server.example.org
        passwd program = /usr/local/sbin/smbldap-passwd %u
        passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*all*authentication*tokens*updated*
        username map = /etc/samba/smbusers
        log file = /var/log/samba/%m.log
        max log size = 100
        add user script = /usr/local/sbin/smbldap-useradd "%u" -n -g users
        delete user script = /usr/local/sbin/smbldap-userdel "%u"
        add group script = /usr/local/sbin/smbldap-groupadd "%g"
        delete group script = /usr/local/sbin/smbldap-groupdel "%g"
        add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u"
"%g"
        delete user from group script = /usr/local/sbin/smbldap-userdel "%u"
"%g"
        set primary group script = /usr/local/sbin/smbldap-usermod -g "%g"
"%u"
        add machine script = /usr/local/sbin/smbldap-useradd -n -c
"Workstation (%u)" -M -d /nohome -s /bin/false "%u"
        logon script = %m.bat
        logon path = \\server.example.org\%U\profile
        domain logons = Yes
        os level = 33
        preferred master = Yes
        domain master = Yes
        wins support = Yes
        ldap admin dn = cn=config
        ldap delete dn = Yes
        ldap group suffix = ou=groups
        ldap machine suffix = ou=machines
        ldap passwd sync = Yes
        ldap suffix = dc=example,dc=org
        ldap user suffix = ou=people
        idmap uid = 1000-19999
        idmap gid = 1000-19999
[homes]
        comment = Home Directories
        valid users = DOMAIN\%S
        read only = No
        browseable = No
[printers]
        comment = All Printers
        path = /var/spool/samba
        printable = Yes
        browseable = No
[netlogon]
        comment = Network Logon Service
        path = /var/lib/samba/netlogon
        guest ok = Yes
        share modes = No

smbldap.conf
************
sambaDomain="MYDOMAIN"
slaveLDAP="127.0.0.1"
slavePort="389"
masterLDAP="127.0.0.1"
masterPort="389"
ldapTLS="0"
suffix="dc=example,dc=org"
usersdn="ou=people,${suffix}"
computersdn="ou=machines,${suffix}"
groupsdn="ou=groups,${suffix}"
sambaUnixIdPooldn="sambaDomainName=MYDOMAIN,${suffix}"
scope="one"
hash_encrypt="SSHA"
crypt_salt_format="%s"
userLoginShell="/bin/bash"
userHome="/home/%U"
userHomeDirectoryMode="700"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="45"
userSmbHome=""
userProfile=""
userScript="logon.bat"
mailDomain="example.org"
with_smbpasswd="0"
with_slappasswd="0"

/etc/ldap.conf
**********************
host server.example.org
base dc=example,dc=org
binddn cn=config
bindpw 1w2345FJ
rootbinddn cn=zimbra,dc=example,dc=org

timelimit 120
bind_timelimit 120
bind_policy soft
idle_timelimit 3600

nss_base_passwd         ou=people,dc=example,dc=org?one
nss_base_shadow         ou=people,dc=example,dc=org?one

nss_base_group          ou=groups,dc=example,dc=org?one
nss_base_hosts          ou=machines,dc=example,dc=org?one

nss_initgroups_ignoreusers
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman

uri ldap://server.example.org
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5

smbldap.conf
************
sambaDomain="MYDOMAIN"
slaveLDAP="127.0.0.1"
slavePort="389"
masterLDAP="127.0.0.1"
masterPort="389"
ldapTLS="0"
suffix="dc=example,dc=org"
usersdn="ou=people,${suffix}"
computersdn="ou=machines,${suffix}"
groupsdn="ou=groups,${suffix}"
sambaUnixIdPooldn="sambaDomainName=MYDOMAIN,${suffix}"
scope="one"
hash_encrypt="SSHA"
crypt_salt_format="%s"
userLoginShell="/bin/bash"
userHome="/home/%U"
userHomeDirectoryMode="700"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="45"
userSmbHome=""
userProfile=""
userScript="logon.bat"
mailDomain="example.org"
with_smbpasswd="0"
with_slappasswd="0"

smbldap_bind.conf
*****************
slaveDN="cn=config,dc=example,dc=org"
slavePw="1w2345FJ"
masterDN="cn=config,dc=example,dc=org"
masterPw="1w2345FJ"

The strange thing is that I can join a computer to the Domain, but only
using the Samba+samba_root_passwd. I can even see the computer entry in the
LDAP database when I run ldapsearch.
However, I cannot or log in to the domain with credentials in LDAP. Also I
cannot add machines to domain using privileged accounts stored in LDAP.
Strangely though, Samba commands
getent group
and
getent passwd
work just fine (obtain info in ldap) when Im user zimbra, but not as root
(yes user root); running these as root returns only system records in
/etc/passwd & /smbpasswd.
I think that I have done everything correctly including running the command
smbpasswd -w 1w2345FJ
for samba to connect to LDAP and putting the same password in
smbldap_bind.conf defined for "cn=config"
My diagnosis so far is that there is something not working in smbldap-tools

Please advice, will appreciate.

More information about the samba mailing list